From 3993d5273016185829a2d9dfea66fc4740b4dadc Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Mon, 6 Jul 2026 13:40:10 -0500 Subject: [PATCH 1/2] Create service_abuse_adobe_message_from_new_domain.yml --- ...ce_abuse_adobe_message_from_new_domain.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 detection-rules/service_abuse_adobe_message_from_new_domain.yml diff --git a/detection-rules/service_abuse_adobe_message_from_new_domain.yml b/detection-rules/service_abuse_adobe_message_from_new_domain.yml new file mode 100644 index 00000000000..decf98318ca --- /dev/null +++ b/detection-rules/service_abuse_adobe_message_from_new_domain.yml @@ -0,0 +1,28 @@ +name: "Service abuse: Adobe message from newly registered domain" +description: "Detects messages legitimately sent through Adobe's messaging infrastructure (passing DMARC) that contain mailto links pointing to domains registered within the last 30 days." +type: "rule" +severity: "medium" +source: | + type.inbound + // from Adobe + and sender.email.email == 'message@adobe.com' + and headers.auth_summary.dmarc.pass + // sender has a recently created email domain + and any(filter(body.links, + .href_url.scheme == 'mailto' + ), + network.whois(.href_url.domain).days_old < 30 + ) +tags: + - "Attack surface reduction" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" + - "Lookalike domain" +detection_methods: + - "Sender analysis" + - "Header analysis" + - "URL analysis" + - "Whois" \ No newline at end of file From d8a00ceabdc1aed0685e2187d3af2dd2f80de897 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Mon, 6 Jul 2026 19:06:43 +0000 Subject: [PATCH 2/2] Auto-format MQL and add rule IDs --- .../service_abuse_adobe_message_from_new_domain.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/detection-rules/service_abuse_adobe_message_from_new_domain.yml b/detection-rules/service_abuse_adobe_message_from_new_domain.yml index decf98318ca..86016fd3fbc 100644 --- a/detection-rules/service_abuse_adobe_message_from_new_domain.yml +++ b/detection-rules/service_abuse_adobe_message_from_new_domain.yml @@ -8,10 +8,8 @@ source: | and sender.email.email == 'message@adobe.com' and headers.auth_summary.dmarc.pass // sender has a recently created email domain - and any(filter(body.links, - .href_url.scheme == 'mailto' - ), - network.whois(.href_url.domain).days_old < 30 + and any(filter(body.links, .href_url.scheme == 'mailto'), + network.whois(.href_url.domain).days_old < 30 ) tags: - "Attack surface reduction" @@ -25,4 +23,5 @@ detection_methods: - "Sender analysis" - "Header analysis" - "URL analysis" - - "Whois" \ No newline at end of file + - "Whois" +id: "9f7abbfe-5ecf-5686-a070-c1a465a1af80"